Loved the idea of a Makefile to do this. So I adapted ztact's Makefile (which doesn't do full encryption on lvm2) and made it work for luks encrypted lvm2 partitions, so you get your swap and data partitions encrypted too: http://j.mp/makelmdeIt works for both the Mate and the Cinnamon 32bit editions (64bit editions not tested)."This Makefile will result in a working install of Linux Mint Debian Edition edition (version 201303) on a luks encrypted lvm2 partition with root, swap and data filesystem"

6. Answer the questions as they come up:- password for encryption (twice the same)- password for decryption (same again)- password for user, and some irrelevant info- about the keyboard- about the timezone

And that's it!

Last edited by Pepas on Fri May 03, 2013 2:43 am, edited 2 times in total.

I think an encrypted home partition is supported, which might be sufficient for home users, but the above method encrypts the OS, the swap partition and optionally a data/home partition, so it is much more secure.

At the moment I play with Kali and I must say, they put a great installation routine together. Encryption of the whole disk is supported and it is only one click farther away as the unencrypted installation. I'm no developer, I can't port that.

Every evening when I watch the news, I see dictators, social networks and (even european) countries spying on their own people. We let it happend that encryption, information self-defence, is only achievable by some geeks...

If LM don't want to provide (the possibility of) encryption it looks like we don't want/need/like people who are in worse situations like we are. I don't want to say that this is a discrimination of non-tech-people. Just think about a girl who gets spied on by her creepy uncle who wants her last beach holiday pictures. Or a journalist who happens to tap in a big food scandal, or a manager loses his private laptop with some business data, ... The worst thing of a half-encryption is not the lost data but the false assumption about security. Just buy a used smartphone and follow a forensic tutorial from the internet - you can have fun for weeks.

I see the same false sense of security at the download section of the LM isos. We just get an md5sum which helps for completeness, but not for integrity. I smell Windows: by using some virus scan-snake oil we pretend that the system is safe How about a gpg signature, it could be provided quite easily.

Pepas, I'm not saying this to you, as your Makefile is what we need more of I'm just sad to see what wonderful ideas are realised by the LM community and then they forgot to implement the most basic security.

1986 wrote:how can I do unencrypted boot on USB, and full encrypted HDD then? because I wanna boot system from USB

Have a look at the application "cryptkeeper". It's a tray applet that allows you to create and access encrypted folders. These folders are then hidden and can only be accessed via the cryptkeeper applet using a password.

Perhaps this is a simpler way of achieving what you are looking for?

I'm looking for the same thing that 1986 is looking for. Cryptkeeper will not do. In an episode of Hak5, int0x80 explains how to do it with BackTrack 5. However, I'd like this same thing but with LMDE. Also, I'm wondering about the first commands given by OP that install the tools. Where are they installed? Do I need a live USB rather than a DVD?

Pepas wrote:Loved the idea of a Makefile to do this. So I adapted ztact's Makefile (which doesn't do full encryption on lvm2) and made it work for luks encrypted lvm2 partitions, so you get your swap and data partitions encrypted too: http://j.mp/makelmdeIt works for both the Mate and the Cinnamon 32bit editions (64bit editions not tested).

Upgraded the Makefile to work with LMDE 201403 as well.It works for both the Mate and the Cinnamon 32bit and 64bit editions

Makefile: http://j.mp/makelmde"This Makefile will result in a working install of Linux Mint Debian Edition edition (version 201303 or 201403) on a luks encrypted lvm2 partition with root, swap and data filesystem"

6. Answer the questions as they come up:- password for encryption (twice the same)- password for decryption (same again)Then after a wait for all the preparations to have happened:- password for user, and some irrelevant info- about the keyboard- about the timezone

I get an error after typing make all the console returns. 201403 I didn't open the makefile.

Makefile:2: *** missing separator. Stop.

edit: So I tried just commenting out the set line. Get the same error on line 138 instead also. With 2nd line commented out ... 151 after commenting that out.Seems to be a lot of malformed separators in this version...

Note I have a git repo here. It should be considerably more reliable than dropbox :-) but unfortunately it currently (on branch=`master`) only supports LVM2 && LUKS, i.e., not LVM2 && !LUKS. It has a branch=`support_LVM2_without_LUKS` for LVM2 && !LUKS, but I don't have that working yet. Feel free to fork and += pull request!

The main difference (other than ease of access, history, and the other goodnesses of an online DVCS) between PePas' excellent code and current code in the repo (which forks PePas) is, my code separates the usual user-set properties into a separate properties file (e.g., this). The hope is, folks won't hafta touch the main script (except to improve it!) and can just attach or link to their properties file in case of problems.

I think in your bash script this works. I used the original post of this thread which does unsquashfs and had an old locationI checked your script and the mounted squashfs seems to match what I have on my systemdrwxr-xr-x 21 root root 338 Feb 27 2014 /lib/live/mount/rootfs/filesystem.squashfs/

Would be nice if the top post of this thread would point to the install script.Georges